lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1209711.1746527190@warthog.procyon.org.uk>
Date: Tue, 06 May 2025 11:26:30 +0100
From: David Howells <dhowells@...hat.com>
To: Christian Brauner <brauner@...nel.org>
Cc: dhowells@...hat.com, Alexander Viro <viro@...iv.linux.org.uk>,
    Etienne Champetier <champetier.etienne@...il.com>,
    Marc Dionne <marc.dionne@...istor.com>,
    Jeffrey Altman <jaltman@...istor.com>,
    Chet Ramey <chet.ramey@...e.edu>, Steve French <sfrench@...ba.org>,
    linux-afs@...ts.infradead.org, openafs-devel@...nafs.org,
    linux-cifs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
    linux-kernel@...r.kernel.org
Subject: Re: [PATCH] afs, bash: Fix open(O_CREAT) on an extant AFS file in a sticky dir

Christian Brauner <brauner@...nel.org> wrote:

> > However, the bash work around is going to be removed:
> 
> Why is it removed? That's a very strange comment:

Because it makes bash output redirection work differently to other programs, I
would guess.  It's actually a simple security check to work around (just retry
the open() with O_CREAT dropped) - however, it does expose an... error, I
suppose, in the Linux kernel: namely that the VFS itself is treating foreign
files as if they had local system ownership.

We have the ->permission() inode op for this reason (I presume) - but that
only applies to certain checks.  The VFS must not assume that it can interpret
i_uid and i_gid on an inode and must not assume that it can compare them to
current->fsuid and current->fs_gid.

Now, in my patch, I added two inode ops because they VFS code involved makes
two distinct evaluations and so I made an op for each and, as such, those
evaluations may be applicable elsewhere, but I could make a combined op that
handles that specific situation instead.

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ